OPM Facing More Congressional Scrutiny Over Data Breach

The historic data breach at the Office of Personnel Management is costing millions of dollars to fix, but congressional Republicans aren’t keen on throwing more money at the problem.

“I hope not to hear the same stale line that more money is needed,” Sen. John Boozman (R-Ark.) said Tuesday during a hearing about the hack that has compromised personal records for at least 4.2 million federal workers. “The problem is much greater than a lack of resources.”

The Senate Appropriations Subcommittee on Financial Services and General Government, chaired by Boozman, grilled OPM Director Katherine Archuleta on Tuesday on her agency’s efforts to prevent and mitigate the fallout of the data breach revealed earlier this month.

Archuleta said that the breach occurred before the system updates to OPM for security and urged the appropriations subcommittee to continue funding projects to enhance security measures. But the recent failure of the agency to protect and inform former, current and prospective employees has brought attention to the overhaul needed to reform the standards for data breach notification policies.

Boozman told reporters after the hearing that there is a clear administration problem, and the hearing did not set his mind at ease about how the government is protecting its employees.

The deadline for OPM to contact current and former employees compromised by the recent system hack passed last Friday, but there are still possibly millions more who were employed by a federal agency affected and still anxiously waiting to hear whether their personally identifiable information (PII) is safe.

The OPM is funding credit monitoring and safeguards through a private contractor the Winvale Group LLC, who is working through subcontractor CSID, for those affected for up to 18 months to the tune of nearly $21 million. But users are wary.

Some employees are opting out over concerns their privacy will be violated further by the fraud-protection services outsourced to the private companies. Sen. Mark Warner (D-Va.), whose state has 325,219 federal employees and retirees, as of 2014, said he dealt with a number of complaints about the process, prompting him to write to Archuleta to raise concerns about the contractor that include website crashes and 90-minute wait times on CSID’s hotline.

“As you are well aware, I have a large number of constituents in Virginia who are current, former or retired federal employees, and in the past two weeks, I have heard complaints from many of them about the poor quality of service provided by CSID,” Warner wrote. “Many have reported receiving inaccurate or out-of-date information regarding their credit history, which calls into question CSID’s ability to appropriately protect them from fraud and ID theft.”

OPM confirmed at a House Oversight and Government Reform Committee hearing last week that 4.2 million federal employees – roughly 2.1 million active employees, 1.1 million former government workers and 1 million retirees – had been compromised when the first data breach was discovered in June 2014, but failed to elaborate how many individuals were exposed in the second breach of its system that occurred in April of this year.

White House spokesman Josh Earnest confirmed a second breach on June 15 and said hackers may have accessed a second set of records for security clearance, putting the personal information of as many as 14 million current, former and potential federal employees at risk.

OPM’s budget for fiscal 2015 is $240 million. Before the data breach was revealed, the agency had requested $272 million for fiscal 2016, which starts on Oct. 1. When Sen. Chris Coons (D-Del.) asked Archuleta at Tuesday’s hearing whether OPM would need additional funding to upgrade its computer systems as a result of the data breach, she said the agency is working with the Office of Management and Budget to determine the appropriate funding request.

In the meantime, the failure to alert compromised employees has some lawmakers proposing better ways to protect these individuals.

Last year Congress passed S. 2521, a measure that included federal data breach notification standards and was eventually signed into law. But some lawmakers say that OPM’s response time shows more legislation might be needed.

Rep. Gerry Connolly (D-Va.), who introduced his own federal data breach bill last year, H.R. 421, said he’s considering introducing another measure to codify notification standards for government workers. But for now he’s watching to see how things pan out.

“I have been watching implementation of these provisions closely,” Connolly, who’s the top Democrat on the House Oversight and Government Reform Subcommittee on Government Operations, wrote Monday in an email. “However, recent events at OPM indicate that a more detailed and robust statutory framework governing agency breach notification procedures may be urgently needed.”

Connolly’s, whose congressional district in Northern Virginia is home to 74,346 former and current federal employees, said he is unhappy with the lack of movement on the issue.

“While legal requirements would certainly be the best route – and I have no plans of abandoning such efforts – in the near term, I am equally focused on ensuring that Federal agencies commit to implementing the substance of my bill as part of the recently announced ‘30 day cybersecurity sprint.’”

Senators from Virginia and Maryland, which has a total of 304,814 federal employees and retirees as residents, have asked the OPM for an extension of the 18-month credit monitoring and requested that if PII has been breached then “appropriate safeguards will be in place to alert and protect them from financial harm.”

In a letter to Archuleta, Sens. Barbara Mikulski (D-Md.), Tim Kaine (D-Va.), Ben Cardin (D-Md.) and Warner called for the agency to do more to protect federal employees during breaches:

“We find it unacceptable that over two months lapsed between the discovery of the breach and OPM’s public disclosure of the breach,” the senators wrote in the letter dated June 12. “Our federal employees deserve more timely and helpful information about this breach and the potential for significant disruptive impacts on their lives.”

Congress is not the only one demanding answers from OPM and action on cybersecurity legislation.

“Federal employees are not happy with how this matter has been handled,” William R. Dougan, national president for the National Federation of Federal Employees, which represents around 110,000 federal workers, said in a June 22 statement. “We want some straight-talking from the administration on this issue, and we want it now.”

The National Treasury Employees Union, which represents 150,000 federal employees, echoed the NFFE’s concerns, with NTEU National President Colleen M. Kelley calling for OPM to reveal exactly what information was stolen.

“Ultimately, NTEU members want to be assured that their information, and their family members’ information, is not at risk because of their profession,” Kelley wrote in a statement submitted to the House Oversight Committee last week. “Our members deserve to be able to trust that the government can properly secure their private information.”

A 2014 report from the Government Accountability Office found that while there is a federal protocol for agencies to report data breaches that involved personally identifiable information to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team, the protocol was of little use.

The Office of Management and Budget requires agencies that discover system hacks to report to the US-CERT within one hour of the discovery, but the GAO report found that “preparing a meaningful report within 1 hour can be infeasible,” and it could take anywhere from days or months for agencies to collect all the necessary data for a proper investigation.

OPM officials will have a busy week explaining what went wrong with the sensitive data. After Tuesday’s hearing, the House Oversight Committee will get another shot at questioning OPM at its second hearing on the matter Wednesday. And on Thursday, the Senate Homeland Security and Governmental Affairs Committee will hold its own hearing on what went wrong.

Morning Consult